CWE-281
AllowedImproper Preservation of Permissions
Abstraction: Base · Status: Draft
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
432 vulnerabilities reference this CWE, most recent first.
GHSA-RGMG-XVFM-8VFH
Vulnerability from github – Published: 2024-05-03 09:30 – Updated: 2024-05-03 09:30Broken Access Control vulnerability in ReviewX.This issue affects ReviewX: from n/a through 1.6.21.
{
"affected": [],
"aliases": [
"CVE-2024-33921"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T09:15:09Z",
"severity": "MODERATE"
},
"details": "Broken Access Control vulnerability in ReviewX.This issue affects ReviewX: from n/a through 1.6.21.\n\n",
"id": "GHSA-rgmg-xvfm-8vfh",
"modified": "2024-05-03T09:30:52Z",
"published": "2024-05-03T09:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33921"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/reviewx/wordpress-reviewx-plugin-1-6-21-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RJ73-RM78-8MX4
Vulnerability from github – Published: 2024-12-07 00:31 – Updated: 2024-12-12 03:33Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute arbitrary code via a crafted script to the nav2_costmap_2d.
{
"affected": [],
"aliases": [
"CVE-2024-41650"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-06T22:15:21Z",
"severity": "HIGH"
},
"details": "Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute arbitrary code via a crafted script to the nav2_costmap_2d.",
"id": "GHSA-rj73-rm78-8mx4",
"modified": "2024-12-12T03:33:00Z",
"published": "2024-12-07T00:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41650"
},
{
"type": "WEB",
"url": "https://github.com/ros-navigation/navigation2/issues/4489"
},
{
"type": "WEB",
"url": "https://github.com/ros-navigation/navigation2/pull/4495"
},
{
"type": "WEB",
"url": "https://github.com/GoesM/ROS-CVE-CNVDs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RM3C-R6H9-R9RG
Vulnerability from github – Published: 2022-05-24 17:09 – Updated: 2022-05-24 17:09In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.
{
"affected": [],
"aliases": [
"CVE-2020-7063"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-27T21:15:00Z",
"severity": "MODERATE"
},
"details": "In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.",
"id": "GHSA-rm3c-r6h9-r9rg",
"modified": "2022-05-24T17:09:52Z",
"published": "2022-05-24T17:09:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7063"
},
{
"type": "WEB",
"url": "https://bugs.php.net/bug.php?id=79082"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00034.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202003-57"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4330-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4717"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4719"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/tns-2021-14"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00023.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RQP2-5J8F-59R3
Vulnerability from github – Published: 2025-01-06 18:31 – Updated: 2025-01-07 18:30An Escalation of Privilege security vulnerability was found in SecureAge Security Suite software 7.0.x before 7.0.38, 7.1.x before 7.1.11, 8.0.x before 8.0.18, and 8.1.x before 8.1.18 that allows arbitrary file creation, modification and deletion.
{
"affected": [],
"aliases": [
"CVE-2024-46622"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-06T18:15:19Z",
"severity": "CRITICAL"
},
"details": "An Escalation of Privilege security vulnerability was found in SecureAge Security Suite software 7.0.x before 7.0.38, 7.1.x before 7.1.11, 8.0.x before 8.0.18, and 8.1.x before 8.1.18 that allows arbitrary file creation, modification and deletion.",
"id": "GHSA-rqp2-5j8f-59r3",
"modified": "2025-01-07T18:30:47Z",
"published": "2025-01-06T18:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46622"
},
{
"type": "WEB",
"url": "https://www.secureage.com"
},
{
"type": "WEB",
"url": "https://www.secureage.com/blog/resolved-escalation-of-privilege"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V24X-74GW-CRVQ
Vulnerability from github – Published: 2024-12-10 21:30 – Updated: 2024-12-11 18:30Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to create a fake node via supplying crafted packets.
{
"affected": [],
"aliases": [
"CVE-2024-50920"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-10T19:15:30Z",
"severity": "HIGH"
},
"details": "Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to create a fake node via supplying crafted packets.",
"id": "GHSA-v24x-74gw-crvq",
"modified": "2024-12-11T18:30:42Z",
"published": "2024-12-10T21:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50920"
},
{
"type": "WEB",
"url": "https://github.com/CNK2100/2024-CVE/blob/main/README.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V3V5-MR33-C4HG
Vulnerability from github – Published: 2024-12-10 21:30 – Updated: 2024-12-12 03:33Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to cause a Denial of Service (DoS) via repeatedly sending crafted packets to the controller.
{
"affected": [],
"aliases": [
"CVE-2024-50921"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-10T19:15:30Z",
"severity": "MODERATE"
},
"details": "Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to cause a Denial of Service (DoS) via repeatedly sending crafted packets to the controller.",
"id": "GHSA-v3v5-mr33-c4hg",
"modified": "2024-12-12T03:33:01Z",
"published": "2024-12-10T21:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50921"
},
{
"type": "WEB",
"url": "https://github.com/CNK2100/2024-CVE/blob/main/README.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V43Q-J5J9-QMVQ
Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2022-10-06 00:00Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2020-6564"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-21T20:15:00Z",
"severity": "MODERATE"
},
"details": "Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page.",
"id": "GHSA-v43q-j5j9-qmvq",
"modified": "2022-10-06T00:00:52Z",
"published": "2022-05-24T17:29:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6564"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2020/08/stable-channel-update-for-desktop_25.html"
},
{
"type": "WEB",
"url": "https://crbug.com/841622"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EE7XWIZBME7JAY7N6CGPET4CLNHHEIVT"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4824"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00072.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00078.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00081.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V662-XPCC-9XF6
Vulnerability from github – Published: 2021-03-23 22:47 – Updated: 2021-03-23 22:24Impact
The {{wikimacrocontent}} executes the content with the rights of the wiki macro author instead of the caller of that wiki macro. This makes possible to inject scripts through it and they will be executed with the rights of the wiki macro (very often a user which has Programming rights).
Fortunately, no such macro exists by default in XWiki Standard but one could have been created or installed with an extension.
Patches
It has been patched in versions XWiki 12.6.3, 11.10.11 and 12.8-rc-1.
Workarounds
There is no easy workaround other than disabling the affected macros. Inserting content in a safe way or knowing what is the user who called the wiki macro is not easy.
References
https://jira.xwiki.org/browse/XWIKI-17759
For more information
If you have any questions or comments about this advisory: * Open an issue in Jira XWiki * Email us at our security mailing list
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-rendering-wikimacro-store"
},
"ranges": [
{
"events": [
{
"introduced": "11.4"
},
{
"fixed": "11.10.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-rendering-wikimacro-store"
},
"ranges": [
{
"events": [
{
"introduced": "12.0"
},
{
"fixed": "12.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 12.7.1"
},
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-rendering-wikimacro-store"
},
"ranges": [
{
"events": [
{
"introduced": "12.7"
},
{
"fixed": "12.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21379"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-23T22:24:20Z",
"nvd_published_at": "2021-03-12T18:15:00Z",
"severity": "LOW"
},
"details": "### Impact\n\nThe `{{wikimacrocontent}}` executes the content with the rights of the wiki macro author instead of the caller of that wiki macro. This makes possible to inject scripts through it and they will be executed with the rights of the wiki macro (very often a user which has Programming rights).\n\nFortunately, no such macro exists by default in XWiki Standard but one could have been created or installed with an extension.\n\n### Patches\n\nIt has been patched in versions XWiki 12.6.3, 11.10.11 and 12.8-rc-1.\n\n### Workarounds\n\nThere is no easy workaround other than disabling the affected macros.\nInserting content in a safe way or knowing what is the user who called the wiki macro is not easy.\n\n### References\n\nhttps://jira.xwiki.org/browse/XWIKI-17759\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki](https://jira.xwiki.org)\n* Email us at [our security mailing list](mailto:security@xwiki.org)",
"id": "GHSA-v662-xpcc-9xf6",
"modified": "2021-03-23T22:24:20Z",
"published": "2021-03-23T22:47:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-v662-xpcc-9xf6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21379"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-17759"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "It\u0027s possible to execute anything with the rights of the author of a macro which uses the {{wikimacrocontent}} macro"
}
GHSA-V6CW-CWP6-X9PW
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47Graphics in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka "Microsoft Graphics Component Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-8573 and CVE-2017-8574.
{
"affected": [],
"aliases": [
"CVE-2017-8556"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-11T21:29:00Z",
"severity": "HIGH"
},
"details": "Graphics in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka \"Microsoft Graphics Component Elevation of Privilege Vulnerability\". This CVE ID is unique from CVE-2017-8573 and CVE-2017-8574.",
"id": "GHSA-v6cw-cwp6-x9pw",
"modified": "2022-05-13T01:47:36Z",
"published": "2022-05-13T01:47:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8556"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8556"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99439"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038856"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V7MG-HCRM-5CMJ
Vulnerability from github – Published: 2022-01-15 00:01 – Updated: 2022-07-13 00:01In GBoard, there is a possible way to bypass Factory Reset Protection due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-192663648
{
"affected": [],
"aliases": [
"CVE-2021-39622"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-14T20:15:00Z",
"severity": "HIGH"
},
"details": "In GBoard, there is a possible way to bypass Factory Reset Protection due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-192663648",
"id": "GHSA-v7mg-hcrm-5cmj",
"modified": "2022-07-13T00:01:37Z",
"published": "2022-01-15T00:01:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39622"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2022-01-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.